CVE-2025-23916: 
WordPress vulnerability analysis and mitigation

The WP Meetup WordPress plugin contains a Missing Authorization vulnerability (CVE-2025-23916) that affects all versions up to and including 2.3.0. The vulnerability was discovered by researcher Mika and was publicly disclosed on January 16, 2025. This security issue is present in the Nuanced Media WP Meetup plugin and involves incorrectly configured access control security levels (WPScan, Patchstack).

The vulnerability is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L. The security issue stems from a missing capability check on a function that handles plugin settings (NVD, Patchstack).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to modify the plugin's settings without proper authorization. This could lead to unauthorized changes to the plugin's configuration and potential disruption of the website's functionality (WPScan).

Currently, there is no official fix available for this vulnerability. Website administrators using the WP Meetup plugin version 2.3.0 or lower should consider implementing additional access controls or temporarily disabling the plugin until a patch is released (Patchstack).